1. classification of information
Classification of information is an essential task in information security. Classification determines which information is necessary for the operation of an organization and which is not. It also determines how sensitive the information is and what protective measures must be taken to prevent data leakage. Information classification is an essential component of information security management.
1.1 What types of information are there?
The classic classification of information into structured and unstructured data is not sufficient in information security. Structured data is defined and stored in a predictable format, for example in a relational database. Unstructured data, on the other hand, is not stored in a predictable format and is therefore more difficult to process. In information security, information is fundamentally further divided into:
- Public information: this type of information is generally accessible and can therefore be easily disseminated. Examples of public information are newspaper articles or news on television.
-Sensitive information: This type of information is not generally accessible and therefore requires special protection. Examples of sensitive information are business secrets or personal data.
In addition, there are now numerous standards and best practice approaches that address the compliant classification of information in terms of its integrity, availability and confidentiality.
1.2 Why is the classification of information so important?
Classification of information is important because it is the basis for effective information security management. Only when the information's need for protection has been determined can the appropriate protective measures be taken. In addition, classification can be used to determine whether it makes sense to pass on the information to third parties at all.
2. need for protection and purpose
In most companies, large amounts of confidential data exist that require protection. This data is referred to as sensitive or worthy of protection in terms of data protection. As a rule, processing of this sensitive data is only permitted in compliance with certain legally prescribed protection provisions. Sensitive data is therefore particularly protected personal data, the misuse of which can cause considerable damage to the data subject.
3. assign privileges for data transfer in a dedicated manner
Information classification is used to protect against data leakage. Information is divided into different categories, each of which contains specific access and usage rights. This ensures that only authorized persons can access and use confidential information. An essential component of information classification is the assignment of privileges. These allow users to access and use protected resources. Privileges are assigned in a dedicated manner, which means that each user has exactly the privileges he or she needs for his or her activity. This ensures that no user has more privileges than necessary. The dedicated assignment of privileges also restricts data transfer . This means that only those people who are actually authorized can access and use confidential information. This prevents unauthorized persons from accessing and possibly passing on sensitive data.
4. data protection measures
In addition to information classification, it is also advisable to take other data protection measures. These include: -Regulating access to sensitive information. Only authorized persons should have access to this information. -A regular review of security devices. -A ban on external hard drives and USB storage devices. -Restricting access to certain computers and networks. -The encryption of important data.
5. responsibility for data protection
Data protection is an important issue to address. Information classification is one way to control the flow of data and prevent sensitive information from getting to the wrong people. The responsibility for data protection lies with each individual. Everyone needs to be aware of what information they are sharing and to whom. Always remember: confidential information should only be shared with people who are authorized to receive it.
6. PAM for controlled data exchange
The EU General Data Protection Regulation (GDPR) has been in force since May 2018. The regulations for the protection of personal data are becoming increasingly strict internationally and companies must adapt to the new situation. One important aspect is the control of data exchange with external service providers and partners. This is where PAM comes into play: PAM stands for Privileged Access Management and offers a way to control and regulate the exchange of sensitive information. The aim is to restrict access to certain data sets or functions in such a way that only authorized persons have access - and these only when it is absolutely necessary.
The handling of business processes usually requires collaboration between different IT systems. Often, external systems such as supplier or customer systems are also involved. In the process, it often happens that data is transmitted to external parties - for example, to place orders or transmit invoice data. However, this data exchange carries a security risk: If the data is not properly protected, it can fall into the wrong hands and be misused. VISULOX gives you control over the exchange of information between your IT systems and external systems. The software automatically identifies all information flows in your IT infrastructure and classifies them by risk level. This allows you to see at a glance which flows are particularly sensitive and what measures need to be taken to prevent misuse.
VISULOX Data Transfer Control
Our solution offers organizations the possibility to manage and document the entire data transfer, whether within the office IT or during the rollout of patches in the OT area, and to have it in their own hands at all times. Based on individual sets of rules, the transfer of files and information is holistically subject to the specifications of information security.
It is possible to release file transfers only on a dedicated basis, to tie them to the classification of the individual file, or to restrict them to specific groups of people and time periods. In addition, the organization receives a constantly available overview of all transferred data via live cokcpit or retrospectively via shadow copies and generated audit trails.
Control the transfer of data and information between IT systems themselves and between IT and OT systems
Control data exchange centralized according to organizational or individual rules and requirements
Determine properties that data must meet in order to be allowed to be transmitted
Maintain audit-proof shadow copies of all moving data for documentation purposes and root cause analysis